Deeplinks Blog posts about Security

Over the weekend Russian IT security vendor Kaspersky Lab released a report about a new family of malware dubbed "The Equation Family". The software appears, from Kaspersky's description, to be some of the most advanced malware ever seen. It is composed of several different pieces of software, which Kaspersky Lab reports work together and have been infecting computer users around the world for over a decade. It appears that specific techniques and exploits developed by the Equation Group were later used by the authors of Stuxnet, Flame, and Regin.

News broke last night that Lenovo has been shipping laptops with a horrifically dangerous piece of software called Superfish, which tampers with Windows' cryptographic security to perform man-in-the-middle attacks against the user's browsing. This is done in order to inject advertising into secure HTTPS pages, a feature most users don't want implemented in the most insecure possible way.

More needs to be done to protect cyberspace and enhance computer security. But President Obama's cybersecurity legislative proposal recycles old ideas that should remain where they've been since May 2011: on the shelf. Introducing information sharing proposals with broad liability protections, increasing penalties under the already draconian Computer Fraud and Abuse Act, and potentially decreasing the protections granted to consumers under state data breach law are both unnecessary and unwelcome.

Last month we were very pleased to announce our work with Mozilla, the University of Michigan, Cisco, Akamai and IdentTust on Let's Encrypt, a totally free and automated certificate authority that will be launching in summer 2015. In order to let mainstream browsers seamlessly connect securely to your web site, you need a digital certificate. Next year, we'll provide you with that certificate at no charge, and, if you choose, our software will install it on your server in less than a minute. We've been pursuing the ideas that turned into Let's Encrypt for three years, so it was a great pleasure to be able to share what we've been working on with the world.

Three major vulnerabilities rocked the world of Internet security this year, including two high-profile bugs that jeopardized the security of HTTPS encryption itself. These vulnerabilities may have each cost sysadmins around the world some sleepless nights, but they also reinforced the idea that best security practices can protect users even where the software has bugs.